In recent years, an ECU includes software that is sophisticated and large-scaled, and control processing thereof is multifunctional. Consequently, in general, it is added with functions for carrying out a maintenance operation such as a function for setting data for adjustment, a debugging function, and a function for updating control software itself. The maintenance operation is carried out by connecting the ECU with an external operation terminal and by allowing an operator to operate the operation terminal (also called a maintenance tool). The ECU reads data from a storage device thereof and outputs the data to the operation terminal or acquires data from the operation terminal and writes the data in the storage device thereof.
As the data that is read from the storage device of the ECU by the maintenance tool, for example, there is data for carrying out troubleshooting such as a self-diagnosis history and an operation log. As the data that is written in the storage device of the ECU by the maintenance tool, for example, there are a device adjustment value, which is different for each vehicle, written by a manufacturer before a product shipment, update data for updating the control software (rewriting of firmware) written by a dealer that is specified by the manufacturer after the product shipment, and the like. Work of updating the control software is sometimes carried out as a recall or a service campaign. Such maintenance function is permitted only to a manufacturer, a dealer having a maintenance factory permitted by the manufacturer, and the like and is not released to a general user.
In particular, due to a characteristic of the ECU of controlling an automobile, an easy change of the software or the data may lead to a failure or an accident. Furthermore, from a viewpoint of information security as well, the easy change may threaten a personal property existing on the vehicle. For example, invalidating an electronic key may facilitate a vehicle theft. There is also a possibility that personal information such as data of one's own house stored in a navigation system is collected. In addition, there is also a possibility that a personal credit number may be stolen from an electronic toll collection system (ETC) device. Thus, the maintenance tool should not be leaked to a general user and should not be operable by an unqualified person.
In the technique described in PTL 1, the maintenance tool has a function of measuring position information, and an authentication server authenticates the maintenance tool only in a case where the maintenance tool exists in a predetermined range of latitude and longitude. By checking the position information of the maintenance tool, for example, even in a case where the maintenance tool is stolen, it aims at preventing the maintenance tool from being used by a malicious third person.